Creating an image from a cinder volume runs as root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned |
Bug Description
Implementing secure nfs for cinder we have run into an issue. Using the deployment guide, root has been squashed and setuid disabled on the exports.
The problem results when trying to generate a cqow2 image from a boot cinder volume. This is run by the service cinder-volume.
What we see in the log is:
1. We generate a cqow2 image from a boot cinder volume: "volume-
extracted from (/var/log/
2016-10-28 11:01:40.419 12178 TRACE oslo_messaging.
2016-10-28 11:01:40.419 12178 TRACE oslo_messaging.
2016-10-28 11:01:40.419 12178 TRACE oslo_messaging.
2016-10-28 11:01:40.419 12178 TRACE oslo_messaging.
2016-10-28 11:01:40.419 1
2178 TRACE oslo_messaging.
2016-10-28 11:01:40.419 12178 TRACE oslo_messaging.
2. We observe the following permissions:
[root@cvs1lco03 mnt]# find /var/lib/cinder/mnt -name "*volume-
/var/lib/
[root@cvs1lco03 mnt]# ls -ld /var/lib/
-rw-rw----. 1 cinder cinder 21474836480 Oct 28 07:48 /var/lib/
[root@cvs1lco03 mnt]# ls -ld /var/lib/
drwxr-xr-x. 5 cinder cinder 4096 Aug 19 12:39 /var/lib/
[root@cvs1lc
o03 mnt]# ls -ld /var/lib/
drwxr-xr-x. 2 cinder cinder 4096 Oct 28 07:48 /var/lib/
3. The problem is that the process that converts to the qcow2 image, uses the tool qemu-img which runs as root:
root 20776 20773 4 11:32 ? 00:00:00 /usr/bin/python2 /usr/bin/
root 20777 20776 24 11:32 ? 00:00:00 /bin/qemu-img convert -O qcow2 /var/lib/
We find that cinder uses “/usr/bin/
( https:/
[root@cvs1lco03 mnt]# cat /etc/sudoers.
Defaults:cinder !requiretty
cinder ALL = (root) NOPASSWD: /us
r/bin/cinder-
To make the process run as cinder we have done the following:
We introduce a new optional parameter in a method in cinder python code:
"/usr/
...
def copy_volume_
"""Copy the volume to the specified image."""
self.local_
.........
We added the last line "run_as_
Including this optional parameter, we can upload cinder-volumes to glance-images as "cinder":
ps -fe
cinder 27448 20682 0 14:08 ? 00:00:00 qemu-img convert -O qcow2 /var/lib/
Can this be added to the driver?
description: | updated |
As noted, nas_secure_ operations has been set to True. In a general workflow with nas_secure_ operations, run_as_root is disallowed. In this case it isn't.